Authentication method, encryption method, decryption method, cryptographic system and recording medium

ABSTRACT

An authentication method, encryption method, decryption method, cryptographic system and recording medium are disclosed. The present invention includes the steps of decrypting authentication information and a content provider&#39;s public key stored in a certificate signed by a certificate authority with a public key of the certificate authority to authenticate the content provider using the decrypted authentication information and authenticating the public key of the content provider by checking the decrypted public key of the content provider. And, the present invention provides the encryption method includes the steps of encrypting content data with a secret key, encrypting the secret key with a public key, and transferring the encrypted content data and the encrypted secret key.

This application claims the benefit of the Korean Patent Application No. 10-2005-0113647, filed on Nov. 25, 2005, and No. 10-2005-0113648, filed on Nov. 25, 2005, which are hereby incorporated by reference as if fully set forth herein.

This application claims the benefit of the U.S. Provisional Application No. 60/641,779, filed on Jan. 7, 2005, in the name of inventor Kun Suk KIM, entitled “METHOD FOR SECURITY AND CERTIFICATIOND OF DIGITAL CONTENTS”, which is hereby incorporated by reference as if fully set forth herein.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an authentication method, encryption method, decryption method, cryptographic system and recording medium.

2. Discussion of the Related Art

Recently, a new high-density recording medium, e.g., Blu-ray disc (hereinafter abbreviated BD) has been developed to store video data of high image quality and audio data of high sound quality for long duration.

The BD as a next generation recording medium technology is a next generation optical record solution provided with data remarkably surpassing that of a conventional DVD. And, many efforts are made to research and develop the BD together with other digital devices.

Moreover, many efforts are made to research and develop an optical record player with the application of the BD specifications. Since a security scheme in the BD has not been set up, the development and utilization of a complete optical record player still have difficulty in fact.

Besides, the above-explained recording medium is provided with a networking function to enable a CA and a user to exchange information with each other on a network. In this case, it is a problem that a clear method of verifying whether the CA and user are trusted has not been settled yet.

An object of the present invention is to provide security to a high-density optical recording medium using a public key infrastructure (PKI) that is currently and widely used.

Another object of the present invention is to provide a certificate to a user on a network using the public key infrastructure (PKI).

To achieve theses objects, the public key infrastructure is used. FIG. 1 is a flowchart of an authentication method using the public key infrastructure. In the public key infrastructure (PKI), a public key and a private key are used.

The public key is made available to everyone via a publicly accessible repository or director. In case of attempting to encrypt and transmit information, the information is encrypted using the public key and the encrypted information is then transmitted. On the other hand, the private key is a key left as a secret to each owner. Because the key pair is mathematically related, whatever is encrypted with a public key may only be decrypted by its corresponding private key, and vice versa.

In FIG. 1, authentication information 101 is encrypted via an encryption algorithm 102 using a private key 106 of a trusted certificate authority (CA). A cipher text 103 generated from the encryption is decrypted via a decryption algorithm 104 using a public key 107 of the trusted CA. And, a person to be authenticated is authenticated using an authentication information 105 obtained from a result of the decryption.

Positions of the private and public keys 106 and 107 shown in FIG. 1 can be switched to each other. In this case, the authentication information is encrypted with the public key and the encrypted authentication information is decrypted with the private key to obtain the authentication information.

Meanwhile, according to the developments of a recording medium and a network such as Internet, problems including hacking and the like are raised. Even if security technologies including various authentication methods using certificates are developed, a safe security technology of a new high-density optical recording medium is not determined yet. In particular, since a clear and efficient method of authenticating such a server as a CP does not exist in the BD, a security problem still remains unsolved.

The present invention, which is proposed to solve the problem, provides an authentication method using a certificate and a recording medium storing the certificate. And, the present invention provides an encryption method using a secret key, a decryption method and a cryptographic system.

According to the present invention, a true content provider (CP) and data provided from the content provider are protected as well as a user's playback system. Hence, security can be provided to a new high-density optical recording medium.

SUMMARY OF THE INVENTION

Accordingly, the present invention is directed to an authentication method, encryption method, decryption method, cryptographic system and recording medium that substantially obviate one or more problems due to limitations and disadvantages of the related art.

An authentication method according to the present invention proposed to solve the above-explained problem is characterized in using a certificate. The certificate is a certificate signed by a certificate authority. And, authentication information and a content provider's public key are stored in the certificate.

Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

To achieve these objects and other advantages and in accordance with the purpose of the invention, as embodied and broadly described herein, an authentication method according to the present invention includes the steps of decrypting authentication information and a content provider's public key in a certificate signed by a certificate authority with a public key of the certificate authority to authenticate the content provider using the decrypted authentication information and authenticating the content provider's public by checking the decrypted public key of the content provider.

For example, the authentication method further includes the step of checking whether the certificate is valid before performing authentication.

For example, the encrypted authentication information and the content provider's public key are encrypted using a private key of the certificate authority.

For example, the certificate is one of a plurality of certificates in a certificate chain.

For example, the certificate is stored as a file in a recording medium.

For example, the file exists in a directory storing the certificate only within the recording medium.

For example, the certificate is a certificate downloaded from an outside of a recording medium.

For example, the certificate follows X.509 of a public key infrastructure (PKI).

For example, the certificate is a certificate used in authenticating data stored within a recording medium.

For example, the certificate is a root certificate used in authenticating an application within a recording medium and/or a local storage.

For example, the certificate is a root certificate used in verifying a signature located at a signature file of a binding unit associated with a recording medium within a local storage.

In another aspect of the present invention, a recording medium includes a data area storing content data and an authentication management area storing authentication information, wherein a certificate generated from encrypting the authentication information with a public key of a content provider is stored in the authentication management area.

For example, a private key of a certificate authority is used in encrypting the authentication information.

For example, the certificate is one of a plurality of certificates in a certificate chain.

For example, the certificate exists in a directory storing the certificate only within a file structure within the recording medium.

For example, the certificate is a certificate used for authentication of data within the recording medium.

For example, the certificate is a root certificate used for authentication of an application within the recording medium.

For example, the certificate is a root certificate used in verifying a signature located at a signature file of a binding unit associated with the recording medium within a local storage.

For example, the certificate follows X.509 of a public key infrastructure (PKI).

In another aspect of the present invention, an encryption method includes the steps of encrypting content data with a secret key, encrypting the secret key with a public key, and transferring the encrypted content data and the encrypted secret key.

For example, the public key belongs to an optical terminal.

For example, the public key belongs to a content provider.

For example, the content data is encrypted by AES algorithm.

For example, the content data is encrypted by DES algorithm.

For example, the secret key is encrypted by RSA cryptographic algorithm.

For example, the public key is distributed by a handshake process between a content provider and a optical player.

For example, the secret key includes a session key.

For example, the session key is generated by using random data.

In another aspect of the present invention, a decryption method includes the steps of receiving an encrypted secret key and encrypted content data, decrypting an encrypted secret key and decrypting encrypted content data using the decrypted secret key.

For example, the encrypted secret key is decrypted using a private key of an optical player.

For example, the encrypted secret key is decrypted using a private key of a content provider.

For example, the encrypted secret key is decrypted by RSA cryptographic algorithm.

For example, the encrypted content data is decrypted by AES algorithm.

For example, the encrypted content data is decrypted by DES algorithm.

For example, the secret key includes a session key.

For example, the session key is generated by using random data.

In a further aspect of the present invention, a cryptographic system includes an encryption system encrypting content data with a secret key, the encryption system encrypting the secret key with a public key, the encryption system transferring the encrypted content data and the encrypted secret key and a decryption system receiving the encrypted secret key and the encrypted content data, the decryption system decrypting the encrypted secret key, the decryption system decrypting the encrypted content data using the decrypted secret key.

It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the invention as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principle of the invention. In the drawings:

FIG. 1 is a flowchart of an authentication method using a public key infrastructure according to a related art;

FIG. 2 is a diagram of a security infrastructure in a recording medium according to the present invention;

FIG. 3 is a schematic diagram of a generation of a certificate according to the present invention;

FIG. 4 is a diagram of a certificate chain used in an authentication method according to the present invention;

FIG. 5 is a diagram of a file structure of a recording medium according to the present invention, in which a certificate according to the present invention is stored in the recording medium;

FIG. 6 is a flowchart of an authentication method using a certificate within a recording medium according to the present invention;

FIG. 7 is a diagram of an authentication method in a network according to the present invention;

FIG. 8 is a diagram of an authentication method in a network according to the present invention;

FIG. 9 is a flowchart of an SSL handshake according to one embodiment of the present invention;

FIG. 10 is a diagram for an encryption method using a secret key according to the present invention; and

FIG. 11 is a flowchart of an encryption and decryption method using a secret key and a public key according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.

First of all, a digital authentication method in a recording medium according to one preferred embodiment of the present invention and a digital authentication method on a network according to one preferred embodiment of the present invention will be explained with reference to the attached drawings as follows.

FIG. 2 is a diagram of a security infrastructure in a recording medium according to the present invention.

First of all, storage resources such as PlayList, AV clips and the like and network resources are stored in a recording medium according to the present invention.

These resources need to be protected against an unauthorized entity such as a hacker and the like. For this, authentication, key generation & distribution, a certificate issued by a trusted certificate authority, encryption/decryption and the like are used.

The present invention relates to an authentication method in a recording medium using certificates signed by a trusted certificate authority (hereinafter abbreviated CA) and a recording medium storing the certificates.

Referring to FIG. 2, a trusted root CA 202 verifies and certifies authenticity of an AACS (advanced access content system) or CPS (content protection system) 201. The AACS or CPS 201 verifies to certify authenticities of CAs 204, 205 and 206. In this case, the AACS or CPS 201 becomes the trusted CA 202 by itself to certify content providers 204, 205 and 206 as well.

The certification is carried out by certificates. A certificate is an electronic document attached to a public key by a trusted third party or CA (AACS or CPS), which provides proof that the public key belongs to a legitimate owner and has not been compromised. Certificates are issued by CAs (certificate authorities) and are signed with the CA's private key. Furthermore, the certificates are used in proving AACS, CPS or CPs' identities or rights.

Certificates bind an identity to a pair of keys that can be used in encrypting and signing information. A certificate makes it possible to verify someone's claim that he has the right to use a given key, thereby preventing people from using phony keys to impersonate other users.

Besides, a certificate may contain version, serial number, signature algorithm, issuer, valid from, valid to, subject, public key, CA's signature and the like.

Certificates can be stored in a recording medium to be provided to a user. Certificates can be supplied to the user 203 from a CP via a network outside the recording medium.

FIG. 3 is a schematic diagram of a generation of a certificate according to the present invention.

Referring to FIG. 3, a certificate 305 is generated by encrypting authentication information 301 for an authentication target and a CP's public key 302 via a signature algorithm 303.

In particular, a digest of the authentication information 301 and the CP's public key 302 is calculated using a hash function. The digest is encrypted with a CA's private key to generate a digital signature. The digital signature is then stored to generate the certificate 305.

Besides, the encryption using the private key via the signature algorithm is called ‘sign’.

Digital signature functions for electronic documents like a handwritten signature does for printed documents. The signature is an unforgeable piece of data that asserts that a named entity wrote or otherwise agreed to the document to which the signature is attached. In other words, digital signatures enable “authentication” of digital messages, assuring user of both the identity of CP and the integrity of the messages. One who having a secret key can make a signature only and has to prove the person who signed is the person in question. And, the signed data cannot be changed.

The signature algorithm 303 can employ various cryptographic algorithms such as RSA (Rive-Shamir-Adelman), DSA (digital signature algorithm) and the like. Currently, the RSA is the most popular algorithm used as a public key cryptographic algorithm performing encryption using public and private keys. The RSA performs encryption with the private key. Yet, the RSA is safe in performing encryption with a public key as well. Hence, the RSA enables encryption with the private or public key. The DSA is similar to the RSA. Yet, unlike the RSA, the DSA is a cryptographic algorithm that does not need an original message.

Besides, the authentication information may correspond to the digital signature of the CP. In this case, the CP's private key can be used for the generation of the CP's digital signature.

Moreover, the authentication information may correspond to a specific message that the trusted CA certifies authenticity of the CP or the CP's public key.

A private key 304 of the trusted CA can be used for encryption of the authentication information and the CP's public key 302. The trusted CA corresponds to a trusted third party, an AACC, a CPS or another CA. If necessary, the CP can become the trusted CA by itself.

The generated certificate 305 is stored in a specific area of a recording medium to be used or can be used for a place that needs the certificate on a network. A user, e.g., a BD terminal decrypts the digital signature included in the certificate 305 using the CA's public key to obtain the authentication information and the CP's public key.

Besides, if there is no public key corresponding to the CA's private key used for the encryptions of the authentication information and the CP's public key, it is unable to decrypt the authentication information and the CP's public key in the certificate. Namely, it is unable to authenticate the CP and the CP's public key.

The BD terminal can authenticate the CP from the decrypted authentication information. The authentication of the CP using the authentication information can be executed in various ways. For instance, a digest is computed by applying the hash function to the authentication information and the CP's public key, the digest is encrypted, and the encrypted digest is then transferred as well as the non-encrypted authentication information and CP's public key. The encrypted digest is decrypted. The hash function is applied to the non-encrypted authentication information and CP's public key to compute the digest. The decrypted digest is compared to the hash-function-applied digest. If the former is equal to the latter, the authentication is completed. Otherwise, the authentication is not completed.

Moreover, having been encrypted using the CP's private key, the authentication information can be sent to a user together with the CP's public key corresponding to the private key. In this case, the signature algorithm is applicable to the encryption that uses the CP's private key. And, the digital signature generated from the signature algorithm becomes the CP's digital signature. The digital signature is encrypted using a private key of the trusted CA certifying the authenticities of the CP's identity and the CP's public key to be provided to a user together with the CP's public key.

Besides, the authentication in the present invention means a confirmation of a CP's authenticity or a confirmation of an authenticity of the public key generated from the CP or BD terminal. The CP is an entity providing data or a specific function to the BD terminal via a recording medium or network. The authentication can be used in checking integrity of the data provided by the CP and in checking authenticity of the CP or public key.

Namely, the certificate 305 according to the present invention is used in authenticating a user's public key by using other (CA's) public key. In other words, the certificate provides proof that the CP's public key 302 belongs to a legitimate owner and has not been compromised. The CP and BD terminal generate their private/public key pairs and get certificates through the trusted CA.

Besides, the CP's public key 302 can be used for the purpose of encryption and the like executed after the authentication as well as for the purpose of the above-explained authentication.

In providing content to a user, the CP can sign the content and can enclose a certificate to certify a user that the content is actually sent by the CP.

FIG. 4 is a diagram of a certificate chain used in an authentication method according to the present invention.

First of all, multiple certificates can be enclosed with content, forming a hierarchical chain, wherein one certificate testifies to the authenticity of a previous certificate. At the end of a certificate hierarchy is a root CA that is trusted without a certificate form any other CA. Certificates are stored in a key database that is placed in a recording medium or BD terminal.

Referring to FIG. 4, a trusted root CA can perform a certification 402 of the authenticity of an AACS, a certification 403 of the authenticity of a CPS or a certification 404 of the authenticity of another CA. As a proof for this, the trusted root CA issues each certificate. The AACS, CPS or another CA can independently certify the authenticities of infrastructures such as a BD terminal, a CP and the like (402-1, 402-2, 402-3). Such a structure is called a certificate chain.

Besides, the certification may include a certification for private/public key pairs generated from the BD terminal and/or CPs.

There exists no higher CA that can certify the trusted CA in the certificate chain. In this case, the trusted root CA certifies itself (401) to issue a certificate that corresponds to a root certificate 401.

Each of the CAs composes a certificate revocation list (CRL). In authenticating the CP or the CP's public key by receiving a downloaded certificate revocation list, a CP or user checks whether a certificate to be used for authentication is revoked. If the certificate to be used for the authentication is revoked, the authentication is not completed.

The certificate generated through the certificate chain is stored as a file format in a specific area of a recording medium. The certificate can be used for authentication or can be downloaded to a player from an outside of the recording medium. And, the certificate can be used for authentication of the BD terminal or CP on a network.

FIG. 5 is a diagram of a file structure of a recording medium according to the present invention, in which certificates generated from the process in FIG. 3 are stored in the recording medium.

Referring to FIG. 5, in a recording medium according to the present invention, at least one BDMV directory 502 and a directory storing a certificate, e.g., a CERTIFICATE directory 507 exist below one root directory 501.

The BDMV directory 502 includes an index file (“index.bdmv”) 503 as general (upper) file information to secure interactivity with a user, a movie object file (“MovieObject.bdmv”) 504, a PLAYLIST directory 505 having information of data substantially recorded within a disc and information reproducing the recorded data, a CLIPINF directory 506 and the like.

Besides, at least one or more certificates can exist within a recording medium. And, a position and directory name of the CERTIFICATE directory 507 are exemplarily shown in the drawing. Regardless of the name and position, a file or directory, in which data used for authentication of data associated with a recording medium according to the present invention is stored, are included in the present invention.

The certificate can exist within the CERTIFICATE directory 507 a various way. And, each data is authenticated using the corresponding certificate. For instance, files including “content000.crt” as a certificate used for authentication of data recorded within a recording medium, “app.discroot.crt” as a trusted root certificate used for authentication of application, “bu.discroot.crt” as a certificate used in verifying a signature located at “Binding Unit Signature file”, and the like can exist within the CERTIFICATE directory.

FIG. 6 is a flowchart of an authentication method using a certificate within a recording medium according to the present invention.

Referring to FIG. 6, to use in verifying authenticity of a CP or CP's public key, the CP generates a certificate by encrypting authentication information of an authentication target and the CP's public key with CA's private key (601). The generated certificate is then recorded in a recording medium (602). A user, e.g., a BD terminal decrypts the encrypted authentication information and CP's public key within the certificate with CA's public key (603). The CP is then authenticated by the authentication information obtained as a result of the decryption. And, it can be confirmed that the CP's public key belongs to a legitimate owner by the decrypted CP's public key. Namely, by the decrypted authentication information and CP's public key, the CP and the CP's public key are authenticated.

In this case, as mentioned in the foregoing description, the CA corresponds to a trusted certificate authority of a third party, an AACS or a CPS. In encrypting the data with the CA's private key (601), such a signature algorithm as RSA, DSA and the like can be used.

According to the explained flowchart shown in FIG. 6, a user, e.g., a BD terminal can authenticate the CP to confirm that a provided content is not illegally copied but is provided from an authentic CP. Moreover, it can be confirmed that the CP's public key belongs to a legitimate owner.

As mentioned in the foregoing description, the above-generated certificate may be stored in a recording medium to be usable or may be provided to a user from a CP via a network.

FIG. 7 is a diagram of an authentication method in a network according to the present invention, in which a CP is authenticated on a network for example.

Referring to FIG. 7, as mentioned in the foregoing description; a trusted root CA 702 authenticates an AACS or CPS 701. The AACS or CPS 701 can issue certificates certifying CPs 704 and 705, respectively.

A disguised site 706 can disguise its public key as that of the CP 704 or 705 from a BD terminal 703 on a network. In this case, if there is no certificate of the trusted root CA 702, the BD terminal 703 trusts and uses a public key of the disguised site 706 as an authentic public key of the CP 704 or 705 and may provide important information to the disguised site 706. To prevent the danger on a network, needed is a certificate that the trusted CA 701 or 702 certifies the authenticity of the CP 704 or 705.

Since the certificate may include a public key of the CP 704 or 705 certified by the trusted CA 701 or 702, the BD terminal 703 can sagely use the public key of the CP 704 or 705.

Moreover, FIG. 7 shows a process of downloading the certificate of the CP1 704 to the BD terminal 703 via the network using an SSL (secure socket layer) or TLS (transport layer security). In this case, the disguised site 706 can act as the CP1 704. Yet, since the CP1 704 has to provide the BD terminal 703 with the certificate from the trusted root CA 702 or the AACS or CPS 701, a user can be protected against the disguised site 706. Furthermore, the authentic CPs can be protected in a manner that the disguised site is made not to disguise itself as the authentic CP.

Besides, the CP can be a specific server. And, the BD terminal is explained as an example of a device for recording or playing a high-density optical recording medium. Hence, the present invention is applicable to the device for recording or playing the high-density optical recording medium as a client communicating with the server.

FIG. 8 is a diagram of an authentication method in a network according to the present invention.

Referring to FIG. 8, a certificate is generated by encrypting authentication information of a CP as an authentication target and the CP's public key with a trusted CA's private key to authenticate the CP on a network (801). The certificate encrypted by the CA's private key is called a certificate signed by the CA. If a user, e.g., BD terminal requests a certificate of the CP via the network (802), the CP transfers the certificate via the network (803). The transferred certificate is decrypted with the CA's public key by the BD terminal (804). By the decrypted authentication information and CP's public key, the CP and the CP's public key are authenticated (805).

Besides, the authentication information may correspond to the content of certifying authenticity of the CP by itself. In some cases, the authentication information may correspond to information necessary for the authentication of the CP. For instance, the authentication information may become a digital signature generated via signature algorithm performed on specific data about the CP using the CP's private key. The CP's public key that is encrypted to be transferred together may be a public key corresponding to the CP's private key.

Hence, the certificate of the present invention certifies the authenticity of the CP that provides specific data or function and provides a proof that the CP's public key belongs to the CP.

A recording medium, which is provided with a networking function, can provide additional data to a user from a VP via a network. In this case, the authentication method according to the present invention enables the additional data to be trusted as provided from an authentic CP.

Besides, a process that a user requests a certificate of a CP (802) and a process that the CP delivers the certificate via a network (803) can be achieved through an SSL (secure sockets layer) or TLS (transport layer security) handshake process. Generally, the SSL supports a hash function such MD-5 and SHA-1 to generate a message authentication code to check integrity of authentication information.

FIG. 9 is a flowchart of an SSL handshake according to one embodiment of the present invention.

The SSL, which is a data transport protocol, enables authentication and confirmation of integrity of a message. And, the SSL enables a secret key exchange function between an Internet browser and an Internet server. Though this, security of a network for a playback system is secured.

In the SSL, a parameter of an encryption message should be compromised. For this, a player, e.g., a BD terminal delivers a client_hello message to a CP (903). The client_hello message includes SSL version, random data, session ID, supported cipher suites and the like.

The CP 902 transfers a server_hello message, a certificate of CP and key exchange information of CP to the BD terminal 902 (904). The server_hello message includes SSL version, random data, session ID, supported cipher suites and the like. Through this, the BD terminal 901 and the CP 902 compromise the cipher suite to use with each other. Besides, the client_hello and server_hello messages are not limited to the formats explained in the embodiment of the present invention shown in FIG. 9.

Since a public key of the CP 902 certified by the trusted CA is included in the certificate, the BD terminal 901 can use the public key of the CP certified by the trusted CA.

The BD terminal 901 transfer the key exchange information including the random data encrypted using the CP's public key and the compromised suites to the CP 902 (905). The encryption using the public key employs the RSA scheme for example. The BD terminal 901 and the CA 902 share a secret key such a session key using the random data.

The CP 902 sends the compromised cipher suites back to the BD terminal 901 (906). Through this, as the BD terminal 901 and the CP 902 share the same secret key, a secure channel is established (907).

Besides, the cipher suite is a set of cryptographic algorithms. Algorithms from a cipher suite are used in creating keys and in encrypting information. A cipher suite specifies one algorithm for each of the key exchange, the bulk encryption and the message authentication. Key exchange algorithms protect information required for creating shared keys. Bulk algorithms encrypt messages exchanged between clients and servers. And, message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.

In the steps 903˜906, the data is encrypted and decrypted using the public and private keys, which is called ‘asymmetric encryption’. In the step 907, in which the BD terminal 901 and the CP 902 share the same secret key, the same key is shared to perform encryption and decryption with the same key, which is called ‘symmetric encryption’.

Thus, the BD terminal 901 and the CP 902 can safely exchange information mutually using the shared encryption key without interruptive intrusions of hackers.

FIG. 10 is a diagram for an encryption method using a secret key according to the present invention.

As mentioned in the foregoing description of FIG. 9, a public key of a CP certified by a trusted CA is delivered to a user, e.g., a BD terminal. The BD terminal forwards random data to the CP using the delivered CP's public key to share such a secret key as a session key with the CP.

Besides, the session key is an encryption key used during one communication session only between parties communicating with each other. In case that there are too many ciphertexts, it is highly probable that a key can be computed by analyzing the ciphertexts. The session key is a temporary key used for this prevention. And, a session is a logical connection for conversations between a BD terminal and a CP on a network.

The public key can be delivered in two ways. Firstly, the public key of the CP is delivered to the BD terminal. Secondly, the public key of the BD terminal is delivered to the CP in the same manner.

FIG. 10 shows an example of the latter case, in which encryption and decryption methods using a delivered public key 1007 of a BD terminal and a secret key such as a session key 1004 are shown.

First of all, a CP generates an encrypted file 1005 by encrypting content data (plaintext) through cryptographic algorithm using a session key 1004.

The cryptographic algorithm includes AES (advanced encryption standard), DES (data encryption standard), Triple DES or the like. As the secret key is used in the present invention, it corresponds to a symmetric encryption.

An encrypted session key 1008 is generated by encrypting the session key 1004 with a public key 1007 of the BD terminal. In this case, RSA may be used as cryptographic algorithm. As the public key is used, it corresponds to an asymmetric encryption.

The encrypted file 1005 and the encrypted session key 1008 are transferred to the BD terminal. The BD terminal decrypts the received encrypted session key 1008 with a private key 1009 of the BD terminal to restore to the original session key 1004.

Cryptographic algorithm 1010 used for the decryption adopts the RSA algorithm to correspond to the cryptographic algorithm 1006 used for the encryption. The encrypted file 1005 is decrypted using the restored session key 1004 (1011). The cryptographic algorithm 1011 used for the decryption adopts the AES or DES to correspond to the cryptographic algorithm 1003 used for the encryption. As a result of the decryption (1011), content data 1002 transferred from the CP is recovered.

The CP can share the same secret key 1004 with the BD terminal using the above-explained methods. And, the CP can deliver the content to the BD terminal using the secret key 1004.

After the CP has transferred the CP's public key to the BD terminal, if the BD terminal attempts to transfer the content, which is encrypted with the secret key such as a session key, and the session key, which is encrypted using the CP's public key, to the CP, positions of the CP and the BD terminals are switched to each other and the public key 1007 of the BD terminal is replaced by the public key of the CP.

FIG. 11 is a flowchart of an encryption and decryption method using a secret key and a public key according to the present invention. To encrypt content and a secret key to transfer, a BD terminal transfers a certificate to a CP (1101). Preferably, the certificate includes a public key of the BD terminal at least.

The content is encrypted with such a secret key as a session key. And, the session key is encrypted with the delivered public key of the BD terminal (1102). An encrypted file generated from encryption of the content and the encrypted session key are transferred to the BD terminal (1103).

The BD terminal restores the session key by decrypting the received encrypted session key with a private key of the BD terminal (1104). The BD terminal decrypts the received encrypted file using the restored session key (1105). Through this, the BD terminal can obtain the content which the CP attempts to deliver to a user (1106).

Accordingly, by the authentication method, recording medium, encryption method, decryption method and cryptographic system of the present invention, security can be provided to the high-density optical recording medium, the reproduction system associated with the high-density optical recording medium, and the network.

Hence, the present invention protects the content provider and the playback system that reproduces the recording medium. And, by establishing the secure channel between the playback system of the recording medium and the content provider through the network to secure the safe data exchange, the present invention provides more convenient functions to the users and the content providers.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the inventions. Thus, it is intended that the present invention covers the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. 

1. An authentication method comprising the steps of: decrypting authentication information and a content provider's public key stored in a certificate signed by a certificate authority with a public key of the certificate authority to authenticate the content provider using the decrypted authentication information; and authenticating the content provider's public key by checking the decrypted public key of the content provider.
 2. The authentication method of claim 1, further comprising the step of checking whether the certificate is valid before performing authentication.
 3. The authentication method of claim 1, wherein the authentication information and the content provider's public key are encrypted using a private key of the certificate authority.
 4. The authentication method of claim 1, wherein the certificate is one of a plurality of certificates in a certificate chain.
 5. The authentication method of claim 1, wherein the certificate is stored as a file in a recording medium.
 6. The authentication method of claim 5, wherein the file exists in a directory storing certificates only within the recording medium.
 7. The authentication method of claim 1, wherein the certificate is a certificate downloaded from an outside of a recording medium.
 8. The authentication method of claim 1, wherein the certificate follows X.509 of a public key infrastructure (PKI).
 9. The authentication method of claim 1, wherein the certificate is a certificate used in authenticating data stored within a recording medium.
 10. The authentication method of claim 1, wherein the certificate is a root certificate used in authenticating an application within a recording medium and/or a local storage.
 11. The authentication method of claim 1, wherein the certificate is a root certificate used in verifying a signature located at a signature file of a binding unit associated with a recording medium within a local storage.
 12. A recording medium comprising: a data area storing content data; and an authentication management area storing authentication information, wherein a certificate generated from encrypting authentication information and a content provider's public key is stored in the authentication management area.
 13. The recording medium of claim 12, wherein a private key of a certificate authority is used in encrypting the authentication information and the public key.
 14. The recording medium of claim 13, wherein the certificate is one of a plurality of certificates in a certificate chain.
 15. The recording medium of claim 12, wherein the certificate exists in a directory storing the certificates only within a file structure within the recording medium.
 16. The recording medium of claim 12, wherein the certificate is a certificate used for authentication of data within the recording medium.
 17. The recording medium of claim 12, wherein the certificate is a root certificate used for authentication of an application within the recording medium.
 18. The recording medium of claim 12, wherein the certificate is a root certificate used in verifying a signature located at a signature file of a binding unit associated with the recording.
 19. The recording medium of claim 12, wherein the certificate follows X.509 of a public key infrastructure (PKI).
 20. An encryption method comprising the steps of: encrypting content data with a secret key; encrypting the secret key with a public key; and transferring the encrypted content data and the encrypted secret key.
 21. The encryption method of claim 20, wherein the public key belongs to an optical terminal.
 22. The encryption method of claim 20, wherein the public key belongs to a content provider.
 23. The encryption method of claim 20, wherein the content data is encrypted by AES algorithm.
 24. The encryption method of claim 20, wherein the content data is encrypted by DES algorithm.
 25. The encryption method of claim 20, wherein the secret key is encrypted by RSA cryptographic algorithm.
 26. The encryption method of claim 20, wherein the public key is distributed by a handshake process between a content provider and an optical player.
 27. The encryption method of claim 20, wherein the secret key comprises a session key.
 28. The encryption method of claim 27, wherein the session key is generated by using random data.
 29. A decryption method comprising the steps of: receiving an encrypted secret key and encrypted content data; decrypting the encrypted secret key; and decrypting the encrypted content data using the decrypted secret key.
 30. The decryption method of claim 29, wherein the encrypted secret key is decrypted using a private key of an optical player.
 31. The decryption method of claim 29, wherein the encrypted secret key is decrypted using a private key of a content provider.
 32. The decryption method of claim 29, wherein the encrypted secret key is decrypted by RSA cryptographic algorithm.
 33. The decryption method of claim 29, wherein the encrypted content data is decrypted by AES algorithm.
 34. The decryption method of claim 29, wherein the encrypted content data is decrypted by DES algorithm.
 35. The decryption method of claim 29, wherein the secret key comprises a session key.
 36. The decryption method of claim 35, wherein the session key is generated through random data.
 37. A cryptographic system comprising: an encryption system encrypting content data with a secret key, the encryption system encrypting the secret key with a public key, the encryption system transferring the encrypted content data and the encrypted secret key; and a decryption system receiving the encrypted secret key and the encrypted content data, the decryption system decrypting the encrypted secret key, the decryption system decrypting the encrypted content data using the decrypted secret key. 